Defines what classes of security alerts are logged to the syslog daemon. Logging of errors of the class S_MEMORY are always logged to syslog, no matter what this configuration says, because a corrupted heap could mean that the other logging options will malfunction during the logging process.

Defines the full path to a external logging script. The script is called with 2 parameters. The first one is the alert class in string notation and the second parameter is the log message. This can be used for example to mail failing MySQL queries to your email address, because on a production system these things should never happen.

When the Hardening-Patch logs an error the log message also contains the IP of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI environment variable. With this switch it is possible to change this behavior to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary when your PHP server runs behind a reverse proxy.

Defines the maximum stack depth allowed by the executor before it stops the script. Without this function an endless recursion in a PHP script could crash the PHP executor or trigger the configured memory_limit. A value of ’0’ disables this feature.

Comma separated whitelist of URL schemes that are allowed to be included from include or require statements. Additionally to URL schemes it is possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is specified, then the blacklist is evaluated.

Comma separated blacklist of URL schemes that are not allowed to be included from include or require statements. Additionally to URL schemes it is possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no blacklist and no whitelist is specified all URL schemes are forbidden.

Comma separated whitelist of functions that are allowed to be called. If the whitelist is empty the blacklist is evaluated, otherwise calling a function not in the whitelist will terminate the script and get logged.

Comma separated whitelist of functions that are allowed to be called from within eval(). If the whitelist is empty the blacklist is evaluated, otherwise calling a function not in the whitelist will terminate the script and get logged.

When a SQL Query fails scripts often spit out a bunch of useful information for possible attackers. When this configuration directive is turned on, the script will silently terminate, after the problem has been logged.

Defines the maximum length of variable names for variables registered through the COOKIE, the URL or through a POST request. This is the complete name string, including all indicies. This setting is also an upper limit for the separate GET, POST, COOKIE configuration directives.

Defines the maximum length of a variable that is registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

Defines the maximum number of variables that may be registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

Defines the maximum name length (excluding possible array indicies) of variables that may be registered through the COOKIE, the URL or through a POST request. This setting is also an upper limit for the variable origin specific configuration directives.

This defines the full path to a verification script for uploaded files. The script gets the temporary filename supplied and has to decide if the upload is allowed. A possible application for this is to scan uploaded files for viruses. The called script has to write a 1 as first line to standard output to allow the upload. Any other value or no output at all will result in the file being deleted.